我正在制作一个 cloudformation 模板来创建具有其权限的 lambda。 我需要访问特定的 s3 存储桶,并且放置其特定的 arn,但是当我执行 lambda 时,它告诉我它没有访问该存储桶 (getObject) 的权限,但如果我输入 s3 的几乎全名只是我在末尾添加了 *,如果它允许我访问该存储桶中的文件。
存储桶名称:bucket-test-impl
LambdaSSMPermissions:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: allowSsmS3
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:PutParameters
- ssm:PutParameter
- s3:GetObject
Resource:
- arn:aws:s3:::bucket-test-* //THIS WORKS
- arn:aws:s3:::bucket-test-impl //IT DOESN'T WORK AND IT'S THE ONE I NEED,
- !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/abcd/*/*'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
最佳答案
要访问 s3 存储桶,您必须在路径末尾提供/*。
改变
arn:aws:s3:::bucket-test-impl
至
arn:aws:s3:::bucket-test-impl/*
关于amazon-web-services - cloudformation中定义的资源权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74536926/